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CCNA Security Lab 17 - Cisco SDM One-Step Lockdown - SDM 

Lab 17 

Cisco SDM One-Step Lockdown 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how use 
the Cisco SDM One-Step Lockdown feature. 

Lab Purpose: 

The Cisco SDM One-Step Lockdown feature tests your router configuration for any 
potential security problems and automatically makes any necessary configuration 
changes to correct any problems found. This is similar to the Cisco IOS Auto 
Secure feature. 

Lab Difficulty: 

This lab has a difficulty rating of 5/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



172 , 16 . 1 . 254/24 

Lab 17 Configuration Tasks 
Task 1: 

Configure the hostname on R1 as illustrated in the diagram. In addition to this, 
configure Host 1 with the IP address illustrated. Because Host 1 and R1 are on 
the same subnet, you do not need to configure a default gateway on Host 1. 

However, ensure that Host 1 can ping Rl. 

Task 2: 

Configure the username sdmadmin with 

a privilege level of 15 and a password of security on Rl. In addition to this, enable SSH using default parameters, as 
well as HTTPS on Rl. HTTPS users should be authenticated using the local router 
database. Configure howtonetwork.net 
as the domain name on Rl. 
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Access R1 via SDM from Host 1 and navigate to the SDM One-Step Lockdown feature. 
Initiate this feature and familiarize yourself with navigating SDM to implement 
One-Step Lockdown. 


Lab 17 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 

Rl(config)#int fastethernetO/O 

Rl(config-if)#ip address 172.16.1.1 255.255.255.0 

Rl(config-if)#no shutdown 

Rl(config-if)#exit 

Rl(config)#exit 

Rl# 


Command Prompl 



C’■ ig 

UincLtwc; IP Conf igurat ian 

l:'t hernct adaptor Local (lrea Connection 2; 

Connection-5 pec ific DNS Suffix * : 

IP flddNrsa..172*16*1.254 

Subnet Hash.. : 255-255*2S5.a 

Default Gateway .. : 

Ethernet adapter Uireless Network Connections 

Media State.. . : Media discomice ted 

C = N,>ping 172.16.1.1 

Pinging- 172.16.1.1 with 32 bytes of data: 

Reply f |*on 172-16.1.1= bytes *>32 t inc "bns TTL e 25S 
Reply frun 172.1^.1 .JL: hytes*32 tinc^lns TTL-2SS 
Reply fran 172.16.1.1; hytcs B 32 tinc n lns TTL k 2SS 
Reply from 172 .16.1.1 : bytes ”32 tino*l9rts TTL e 2SS 

Ping statistic? for 172.16.1^.1: 

Packets: Sent a 4* Roceiued n 4 r Lost ■ 0 <02 loss). 
Approximate round trip tines in nilli-seconds: 

rtininun » Ins* Maxinun = 19ns* ftueraae ■ 6ns 

C£^>_ 


Task 2: 

Rl(config)# username sdmadmin privilege 15 secret security 
Rl(config)#ip domain-name howtonetwork.net 

Rl(config)#crypto key generate rsa 

The name for the keys will be: Rl.howtonetwork.net 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 
a few minutes. 


How many bits in the modulus [512]: 


















% Generating 512 bit RSA keys, keys will be non-exportable...[OK] 


Rl(config)#ip http secure-server 
Rl(config)#ip http authentication local 

Rl(config)#exit 

Rl# 

Task 3: 

To access a Cisco IOS router using SDM, you either need SDM installed on the local machine or you can simply use 
any web browser and connect to the router using the format https://x.x.x.x to reach the device. Either method 
works in the same manner. This example will be based on SDM installed on the local computer: 



Next, log into SDM using the username and password pair configured on Rl and click OK: 





































































SDN Home 


Once you have successfully logged into SDM, navigate to the Configure radio button — next to the Home button — 
in the top LEFT hand corner: 
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Next, click on the Security Audit button to take you to the next screen: 















































Once you are on the Security Audit page, click on the One-step lockdown radio button on the very bottom of the 
page: 



This will bring up a warning; click on Yes to initialize the Security Audit: 
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When the Wizard has run, click on the Deliver radio button: 
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Once SDM has configured the router with the recommendations, click on Ok to accept: 























































To verify your work, click on View — at the top of the Taskbar — and select Running Config... 
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This opens up a box with the current running configuration. Scroll through the configuration an familiarize yourself 
with the configurations that are implemented by One-Step Lockdown: 



Lab 17 Configurations 
R1 Configuration 

Rl#show running-config 
Building configuration... 

Current configuration : 3566 bytes 
! 

version 12.4 
no service pad 


service tco-keeoalives-in 


































service tcp-keepalives-out 

service timestamps debug datetime msec localtime show-timezone 

service timestamps log datetime msec localtime show-timezone 

service password-encryption 

service sequence-numbers 
! 

hostname R1 
! 

boot-start-ma rker 
boot-end-ma rker 
! 

security authentication failure rate 3 log 
security passwords min-length 6 
logging buffered 51200 
logging console critical 
! 

aaa new-model 
! 

! 

aaa authentication login local_authen local 
aaa authorization exec local_author local 
! 

! 

aaa session-id common 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
no ip source-route 
ip cef 
! 

! 

! 

! 

no ip bootp server 
ip domain name howtonetwork.net 
! 

multilink bundle-name authenticated 
! 

! 


crvoto oki trustooint TP-self-sianed-533650306 





/ I 


enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-533650306 
revocation-check none 
rsakeypair TP-self-signed-533650306 
! 

! 

crypto pki certificate chain TP-self-signed-533650306 
certificate self-signed 02 

30820249 308201B2 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31323931 
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 
33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 
8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 
80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 
09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D 
11041730 15821352 312E686F 77746F6E 6574776F 726B2E6E 6574301F 0603551D 
23041830 168014CD 63D2C471 B7ABA4AC F9C2B602 0D4A8954 71C7F930 1D060355 
1D0E0416 0414CD63 D2C471B7 ABA4ACF9 C2B6020D 4A895471 C7F9300D 06092A86 
4886F70D 01010405 00038181 0099F99A BE0C1D81 E0A31811 9FA6698A 7D703A20 
7A5CA49E 61A7FB5C FB0168D9 82064939 C0304B8B F1FA8654 DF2823CD D73C2664 
3B2B0C33 C1F6778C 4E3F59CB 08C11522 6BBC783C 6668E63C 7F6323EA F7E5FC8D 
42036432 34ACE605 AF94F67D A963A77F 7DF221AD 98772A67 4E08D7BF 6558FF99 
F5FA081C EC555DFC 49B89A6A 2E 
quit 

! 

! 

username farai privilege 15 secret 5 $l$Eieg$ylhjr3tdlEm4j/2K261Pm/ 
username sdmadmin privilege 15 secret 5 $l$Qfwn$rxYBRsMieBo4YDasMAI8Bl 
archive 
log config 
hidekeys 

! 

! 

! 




I 


ip tcp synwait-time 10 
ip ssh time-out 60 
ip ssh authentication-retries 2 
! 

! 

! 

interface NullO 
no ip unreachables 
! 

interface FastEthernetO/O 
ip address 172.16.1.1 255.255.255.0 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ip route-cache flow 
duplex auto 
speed auto 
no mop enabled 
! 

interface SerialO/O 
no ip address 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ip route-cache flow 
shutdown 
! 

ip forward-protocol nd 
! 

! 

ip http server 

ip http authentication local 

ip http secure-server 
! 

logging trap debugging 
no cdp run 
! 



! 

! 

! 

control-plane 

! 

! 

banner login ^CAuthorized access only! 

Disconnect IMMEDIATELY if you are not an authorized user! 

! 

line con 0 

login authentication local_authen 
line aux 0 

login authentication local_authen 
line vty 0 4 
privilege level 15 
password 7 13061E010803 
authorization exec local_author 
login authentication local_authen 
transport input ssh 
! 

scheduler allocate 4000 1000 
! 

end 

<< previous lab | CCNA Security Labs | next lab >> 


©2006-2011 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited. 


